7 crisis management steps every retailer should have in place to respond efficiently & protect your brand
We set out seven practical steps to help retailers to prepare, respond decisively and recover quickly when the unexpected happens.
The UK GDPR and Data Protection Act 2018 have been hot topics for almost a decade, yet the intricacies around how personal data should be handled remain an area of confusion for most.
These regulations do more than make it easy to unsubscribe from mailing lists and decline cookies. They add protection for your personal information and create important provisions that any user of online platforms like social media sites — where you may be discussing other people — should be aware of.
Here, Rory Leventhorpe from our reputation management team explores the legal ramifications of the GDPR on individuals, who — alongside businesses — can be data controllers too.
Demystifying GDPR
The General Data Protection Regulation (GDPR) was introduced in the UK on 25 May 2018. Post-Brexit, this became the UK GDPR from 1 January 2021, maintaining the same principles. When it came into force, news outlets reported that it was ‘difficult and confusing’ to understand and focused heavily on the protection that the regulations would bring to individuals against businesses using their personal data.
This has created a situation where very few people are aware of both their rights and obligations under the UK GDPR and Data Protection Act 2018.
The UK GDPR governs the “automated or structured processing of personal data”. Article 4(2) of the UK GDPR defines the scope of processing to include “any operation or set of operations which is performed on personal data”. The definition is broad and narrow in its definition to include specific examples, including the “dissemination or otherwise making available” of information. This provision acts as a ‘catch all’ and means that making personal information public in any capacity constitutes ‘processing’.
However, the regulations do not just apply to anyone. Instead, they only apply to those who are defined as ‘data controllers’.
Who is a data controller?
Article 4(7) of the UK GDPR states that ‘controller’ means the “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
So, while many may see the UK GDPR as solely applying to businesses, it is possible for individuals to be caught under it as a “data controller”.
There is, however, an exemption for “purely personal and household activities” under Article(2)(2)(a) of the UK GDPR. This means that information such as creating family photo albums and emailing friends do not fall into the regulations.
Yet this exemption does not extend to those distributing data in a capacity outside of a ‘purely’ personal means. In the High Court case of Harrison v Cameron [2024] EWHC 1377 (KB), Judge Steyn considered this exemption in light of previous case law. In this case the defendant, Mr Cameron, had recorded two telephone calls with the claimant, Mr Harrison. Mr Cameron alleged that during these calls Mr Harrison had made demands and threats against him. Mr Cameron shared the recordings with third parties, including family and friends. He then refused to answer a Subject Access Request made by Mr Harrison which sought information as to who the recordings had been shared with — leading to Mr Harrison issuing court proceedings and asserting that Mr Cameron was a Data Controller under UK GDPR.
Mr Harrison’s claim was dismissed on the basis that Mr Cameron was acting merely as an agent of the second defendant (a company of which Mr Cameron was a director) and therefore if the second defendant was the data controller, Mr Cameron could not be too.
More pertinently, the Judgment emphasised the word ‘purely’ in “purely personal” and considered that this exception to the rule should be construed narrowly. In other words, any processing which could be seen as being outside of the purely personal is unlikely to be included in the exemption.
Social media influencers as data processors
Those who use social media as a business enterprise — including those who receive income through advertising via their platform — are likely to be seen as operating in their capacity as a business and therefore fall outside of the scope of ‘purely personal’.
These individuals therefore become data controllers under the UK GDPR and should ‘process’ any personal information of others in-line with the regulations. This includes sharing the personal information of others that is not already public via social media stories, posts and comments.
What data is covered?
The UK GDPR covers personal and special category information only. It does not extend to any and all information. However, the regulations do cover a wide variety of topics that many may not realise are protected.
Personal data is defined under Article 4(1) of the regulations. It includes any information relating to an identified or identifiable natural person. This is a purposefully broad definition and includes online identifiers such as social media handles, physical attributes or other characteristics that could point to the identity of the individual.
Personal data
If personal data is being ‘processed’, the UK GDPR has strict requirements of how this data should be used.The ‘data controller’ is under a duty pursuant to Article 5 GDPR to comply with (and show how they comply with) their obligation to process personal data in accordance with the six data protection principals in Article 5(1) GDPR.
The principles lay out the way in which data should be processed. Importantly, the data should be processed lawfully, fairly and in a transparent manner in relation to the data subject. It should also be limited to what is necessary in relation to the purposes for which they are processed.
Therefore, when discussing the personal information of those on an internet platform, the data controller should be questioning whether there is a legitimate reason why this information is being shared.
Special category data
Further regulations govern ‘special category’ data. This is defined in Article 9 of the regulations and includes information “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited”.
Article 9(2) of GDPR explicitly prohibits the processing of any special category data unless a specific condition is met. Such conditions include when the individual has given their consent or the information was already made public by the individual. The rest of the conditions are more fact-specific depending on the situation.
So, by discussing any of the matters defined as ‘special category’ data without the express permission of the individual, you could unknowingly be breaching their rights under UK GDPR.
Why does this matter to me?
If you are on social media or any internet platform which has a public following and you discuss information about others, you should be following the regulations. It is possible that by discussing others private lives you are unknowingly breaching their rights under the UK GDPR and processing their information in a way which is against the regulations.
To give an example, if you are a social media influencer and you post private information about somebody’s health without their permission to your Instagram story, this is likely to be a breach of UK GDPR. Such a breach could lead to a claim against you from the individual whose data you’ve unfairly processed. The UK GDPR and Data Protection Act 2018 allow for individuals to claim compensation against those who have unfairly processed their data and for fines to be imposed.
It is therefore crucial that before you utilise your online platform to discuss others, you question whether you could be infringing on their rights under UK GDPR.
Talk to us
If you need help understanding your rights and obligations under data protection regulations like the UK GDPR, we are here to help. Our reputation management experts work with many influencers, content creators, brands, agencies and others to ensure that they stay compliant and minimise the risks of being active online.
If you need our advice, call us now on 0333 004 4488, send us an email at hello@brabners.com or send us a message.
Disclaimer: This article acts as a brief and accessible overview of core principles relating to the UK GDPR and does not cover the in-depth details of the regulations.
Talk to us
Loading form...
Related insights
Reddit’s £14.47m ICO fine — what UK businesses need to do as child protection enforcement ramps up
We break down what the ICO found and outline three key steps that UK businesses should take now.
Business rates reset in April 2026 — 6 essential steps for retail & hospitality businesses
We break down what’s changing, where the risks sit and how businesses can turn this shift into an opportunity to prepare for the new rates landscape.
The Digital Omnibus — proposed key changes to EU data protection obligations
We break down the key proposed reforms in the Digital Omnibus Package and outline what businesses should do to prepare.
Data Protection FAQs
Find answers to our most frequently asked questions about data protection and privacy from our lawyers.
PR under fire — what happens when clients sue?
We explore the types of claims that PR firms can face when an initial complaint escalates and outline some practical steps to manage the risks.
2026 horizon scan — key legal & regulatory changes ahead
We explore the key developments that in-house lawyers should have on their radar and what they mean for your organisation in the year ahead.
Jaguar Land Rover cyber‑attack — protecting your workforce during digital disruption
We explain the impact of the cyber-attack on JLR's workforce and outline what to do to protect your business and minimise the impact if an incident occurs.
Cyber-attacks — 8 essential steps to strengthen your response before it’s too late
We outline eight key steps to put your organisation in the strongest position for a prompt and effective response to any cyber-attack.
Retail’s battle with ‘dupe’ culture — how brands like Lululemon are fighting back
We explore recent examples of how brands are responding to dupe culture and outline practical steps that retail businesses can take to protect their brand.
Christmas markets & public safety — key legal duties for organisers & retailers
We explore safety considerations around Christmas markets and outline practical steps to comply with relevant safety legislation.
Lights, camera, litigation — The Lost King case
We explore the legal and reputational implications of dramatising ‘real life’ events for the screen.
English Devolution & Community Empowerment Bill — what it means for retail leases
We explore what the English Devolution and Community Empowerment Bill means in practice and how its reforms may affect both retail tenants and landlords.
Data (Use and Access) Act 2025 — how opt-in rules are changing for charities
We explore how charities will need to manage their marketing activities and supporter consent once the secondary legislation takes effect.
AB v Grafters — why employers can’t ignore off-site harassment
We break down the case of AB v Grafters Group Ltd and explore some key lessons for employers.
The Times Best Law Firms
We're thrilled to have been commended in three separate categories in The Times Best Law Firms 2026.
Capita’s £14m data breach fine — a wake-up call for UK organisations
We explore how weak cybersecurity and slow responses can trigger major data breaches and resulting ICO fines.
Key takeaways from the Future of Retail: Risk & Resilience Conference 2025
At the Future of Retail: Risk & Resilience Conference 2025, leading voices explored the challenges and opportunities shaping the sector.
Changes to UK accounting standards — is your retail business ready?
We explore the upcoming changes to UK accounting standards, offering practical guidance on how retailers can prepare for the new rules.
Hiring seasonal workers in retail & hospitality — 3 key things to get right
We explore the key legal and practical considerations for retailers hiring seasonal staff.
Influencer marketing & advertising standards — common breaches & how to avoid them
We explore the main issues that influencers and brands need to consider before entering into partnerships.
The Crime & Policing Bill — a turning point for retail crime enforcement?
We explore the Crime and Policing Bill and what it would introduce to protect retail workers.
The EU Data Act — a new era for data governance in Europe
The EU Data Act is a regulation designed to reshape the European data economy by establishing harmonised rules for data access, sharing and portability.
How the courts treat online defamation — removal order dismissed against domain name registrar
Our litigation team look an online defamation case study and how to take legal action after being subject to online defamation or harassment.
DUA — how to prepare for the UK’s new data privacy regime
Designed to amend the UK’s existing data privacy regime, the DUA Act will affect the UK GDPR, PECR and the Data Protection Act 2018.